General discussion

  • Creator
    Topic
  • #2082265

    Ed Bott’s Microsoft Challenge–March 16,

    Locked

    by ebott ·

    It’s every administrator’s nightmare. You’ve just taken over a new job after the previous administrator left unexpectedly, and none of the surviving IT staffers know the password for a key Windows 2000 server. What alternatives do you have? I’m interested in third-party tools as well as functions built in to the operating system. I’ll pass out a total of 1,000 TechPoints for the best solutions. If you can help, click here to tackle this week’s Microsoft Challenge. Don?t delay, though. I?ll accept answers only until Thursday, March 23.

All Comments

  • Author
    Replies
    • #3898158

      Ed Bott’s Microsoft Challenge–March 16,

      by wired_777 ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      l0pht.com has a password cracking utility for windowsNT, that can crack most passwords using a dictionary, or hybrid brute force/ dictionary search 90% of the time in under 48 hours on a pentiumII 300.

    • #3898155

      Ed Bott’s Microsoft Challenge–March 16,

      by lemasney ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      How about the su.exe [appropriately named] utility that is included with the beta evaluation tools for win2k? Although I haven’t tried it, it’s described as though it could get you in enough to play around as an arbitrary user and then use one of the 64k bugs to sploit. :]

    • #3898154

      Ed Bott’s Microsoft Challenge–March 16,

      by venraju ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      I agreed with first answer. I don’t have any other idea than that one.

    • #3898152

      Ed Bott’s Microsoft Challenge–March 16,

      by avachon ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Look at http://www.pwcrack.com They offer password cracking utilities for virtually any kind of lockout (admin.,msoffice,etc.).

    • #3898150

      Ed Bott’s Microsoft Challenge–March 16,

      by j2k ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      I’ve had that very problem before. Check out http://www.winternals.com/products/ntlocksmith.shtml . It’s $49, but well worth it. You can change any account that is on the system.

    • #3898137

      Ed Bott’s Microsoft Challenge–March 16,

      by andy_p ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      This product is now in its third year. As long as you have access to the floppy you can change any user password.
      I’ve mainly used it for NT4 but the product does support 2000

      http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html”

      It’s also free

    • #3898133

      Ed Bott’s Microsoft Challenge–March 16,

      by moflic ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      You can’t.
      Brute force can take months to complete if that guy that left was a real administrator and put on a real password.
      The answer above leads to a page that says 2000 support is broken.
      Maybe next year….

    • #3898131

      Ed Bott’s Microsoft Challenge–March 16,

      by egil.danielsen ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      I have to agrre with j2k@twcny.rr.com Proposed answer 5.
      With a null modem cable and a laptop it’s possible to change the Administrators password with this tool. I have used it severel times and it does the job quick and easy.

    • #3898130

      Ed Bott’s Microsoft Challenge–March 16,

      by msullivan ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      I will assume that this is a member server and not a DC. If it were a DC you should contact your previous employer and find out if they have filled your job yet. Additionally, I will assume that the administrator account is the ONLY administrator on the box (otherwise,the first thing I would try is a test of cached passwords to see if they still exist on win2k).
      The rest of these suggestions should be followed by “But I havn’t Tried it yet!”
      Win2k has a new file called SAM.sav in the system32\config directory. That may be helpfull for rolling back the SAM. Hmmm…There is also a SAM.log file, I wonder what that does?
      My next step would be to try replacing the SAM hive with a known quantity using a dual boot scenario. (always make a backup…yada yada yada)
      While all of this is going on, I would be surfing the web to find a cracking tool that will work against the win2k SAM.

      Good Luck
      Mike Sullivan

    • #3898125

      Ed Bott’s Microsoft Challenge–March 16,

      by tony k ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Okay, most of the answers above won’t work. The bootdisk mentioned works fine for NT4, But, the first line on it’s webpage is that W2K support is broken. It also won’t work on a server with a stripe set. Besides, it’s a server, you don’t reboot servers (at least, I never do).

      Su won’t work, because you’ll need the admin password. There aren’t 64K bugs, just poor reporting and lies.

      Locksmith also doesn’t work on machines with versions higher than SP4.

      L0pht won’t work, either, it relies on NT4’s failings. It also won’t work if you don’t have a password that’s in a dictionary.

      But, there is ONE vulnerability in 2000 that existed in NT4, and can be done while the server’s online:

      Go into %systemroot%\system32.
      Ren logon.scr to logon.old
      Copy cmd.exe to logon.scr
      Logoff, and wait for the “screensaver” (you’ll get a command prompt).
      Under NT4, run musrmgr, under 2000, run mmc.
      You’ll need to add user/group support to the MMC, you can then change any password you want.

      Easy fix for

    • #3898111

      Ed Bott’s Microsoft Challenge–March 16,

      by curious_george ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Both ERD PRO and the Linux Pwd changer boot disk will boot to command line and ignore NTFS security. Then you can access the SAM database directly and create a new pwd. You can’t see the old password but you can create a new one for the local admin.

    • #3898109

      Ed Bott’s Microsoft Challenge–March 16,

      by higun@silverado ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Not knowing how many servers total but assuming there is backup for this locked one;do a forced shutdown so backup server kicks in or load is balanced through network fault-tolorence,remove harddrive, insert in clean machine with no memory of a password,boot-up with machine in backup role,choose new password,then promote.

    • #3898108

      Ed Bott’s Microsoft Challenge–March 16,

      by amnezia ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Seem to remember a note from Jeff Davis about this. Something to do with installing W2K into a second folder – at the time of the first installation. Should this situation occur, use a boot disk to access the second copy of W2K, use the admin login (BLANK) to get access, then …..

      But I guess this’s no use in your situation …

    • #3898043

      Ed Bott’s Microsoft Challenge–March 16,

      by fpling ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      The solution as posted at http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html will work. But some work need to be done to turn off the syskey. Use the chntpw utility to edit the system registry. Then you can nullify the admin password, or whoever password you wish to nullify. True, that it will create weirdos to the SAM file. However, it will only affect the user passwords database. I think this tool is the best!

    • #3897945

      Ed Bott’s Microsoft Challenge–March 16,

      by jtjammer ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      http://www.winternals.com/products/ntlocksmith.shtml

      Been there, used this, no problem.

      James Todd
      jtodd@pf-inc.com

    • #3901782

      Ed Bott’s Microsoft Challenge–March 16,

      by nancy.shelton ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Install Windows 2000 server on another harddrive; create an Administrator USER ID and password. Slave the second harddrive on the server. Change the password for the other Administrator ID.

    • #3901698

      Ed Bott’s Microsoft Challenge–March 16,

      by tony k ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Okay, I’m sorry, but now I see why NT Admins have the rep they do….the problem calls for hacking a Windows **2000** server, not an **NT4** server. You need to read the problem, and provide a solution that will work for the problem in front of you.

      L0pht won’t work. Locksmith won’t work. The Linux boot floppy won’t work. They only work on NT4, and ONLY if the previous admin was lax on security. (Well, the boot floppy would work on a syskeyed system if you want to go manually reset every users PW…)

      If you’re going to post a solution, at least take the 2-3 minutes it takes to TEST to see if it will actually work.

    • #3901674

      Ed Bott’s Microsoft Challenge–March 16,

      by c_hall ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Don’t know if it will work for a Win2k server, but when I was at Raytheon, a co-worker of mine had a Linux utility that booted the machine to Linux at power-up. After the machine booted, you were greeted with “Change your NT password?” The disk was, of course, used only in emergencies most dire… He claimed to have found it on the web.

    • #3901673

      Ed Bott’s Microsoft Challenge–March 16,

      by c_hall ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Don’t know if it will work for a Win2k server, but when I was at Raytheon, a co-worker of mine had a Linux utility that booted the machine to Linux at power-up. After the machine booted, you were greeted with “Change your NT password?” The disk was, of course, used only in emergencies most dire… He claimed to have found it on the web.

    • #3784419

      Ed Bott’s Microsoft Challenge–March 16,

      by rhenderson ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      Install a second occurance of Windows 2000 Server, sign on as administrator and change the previous installations administrators password. Reboot to the original installation and delete the second install.

    • #3783888

      Ed Bott’s Microsoft Challenge–March 16,

      by johnnyextreme ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      In order to test the effectiveness of our password policy I used a shareware application called L0phtcrack 2.5 which I downloaded from http://www.L0pht.com (that’s a zero, not an o). This utility takes the password hashes directly from the registryof the computer it’s installed on, or remotely from any server the user has administrative rights on, and runs a brute force hack on it to discover the passwords. On one complicated password (11 characters and alphanumeric) it took 15 hours, but itdid finally display the entire password. The program figured out the last 3 characters almost immediately, which might help “surviving” IT staffers figure out the rest of it.

    • #3739464

      Ed Bott’s Microsoft Challenge–March 16,

      by ebott ·

      In reply to Ed Bott’s Microsoft Challenge–March 16,

      This question was auto closed due to inactivity

Viewing 21 reply threads